To Patch Or Not To Patch

Julius Musseau

The Equifax Struts disaster happened because someone failed to patch. But the recent Event-Stream NPM bug came from an attacker carefully abusing NPM's built-in auto-patch mechanism. In this AppSec talk I'll cover the historical cause of these patching problems. I'll conclude with some risk-balanced patching approaches I've seen employed by a handful of projects that I think show us the way forward for AppSec patching.

Attend this session to:

1. Learn about key critical moments in software engineering history where small decisions around versioning have created significant headaches for patching in the present day.